Properly "locking" a useraccount (on a proxy)
tss at iki.fi
Fri Oct 24 23:43:28 UTC 2014
On 21 Oct 2014, at 11:27, Ralf Hildebrandt <r at sys4.de> wrote:
> But how can I "lock" a user during migration?
> The plan is:
> * lock the user
> * kick the user (doveadm kick)
> * migrate mailbox (some rsync magic)
> * unlock the user again
Alternative is to use "doveadm sync" and you don't necessarily even need to lock anything at all.
> But how would I lock the user?
> What locking needs to achieve:
> 1) Disallow IMAP/POP login (that's easy!)
Yeah, many ways.
> 2) defer LMTP delivery somehow (Postfix is talking to dovecot's LMTP server)
- LMTP proxy does a passdb lookup. I'm not sure if there's any good way to fail in here. I was planning to suggest allow_nets=0.0.0.0/32 but looks like LMTP proxying just ignores that. Fixed now: http://hg.dovecot.org/dovecot-2.2/rev/3a8b417b0b80
- LMTP backend does a userdb lookup. Userdb lookup can return either "user doesn't exist" or "temporary failure". Nothing else. You can have it return a temporary failure by having it return "tempfail" extra field.
More information about the dovecot